date:20160527

Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

2016-05-27 Thread Vasiliy Tolstov

2016-05-27 17:56 GMT+03:00 Neil Jerram :
> Hi Vasiliy,
>
> I assume your TAP devices are _not_ bridged on the host?
>
> If so, you can use the same approach as we use for Calico networking in
> OpenStack -
> http://docs.openstack.org/developer/networking-calico/implementation-notes.html#dhcp
>
> You'll need:
>
> a dummy interface, with an address in the 85.143.220/24 CIDR
> to populate the dnsmasq hosts file with the IP/MAC mappings for your VMs
> to tell dnsmasq to listen on the dummy interface and all the TAPs, and treat
> the TAPs as aliases of the dummy interface (using --bridge-interfaces).
>
> Hope that helps - happy to provide more detail if you need.
>
>   Neil
>
>


Thanks! Does i need on dummy interface address with corresponding
netmask or i can use /32 address that acts like gateway for vm?
I have some discussion on libvirt mailing list about plain ethernet
devices and my next plans add ability to configure dnsmasq via libvirt
for this networks.
So in case of libvirt i have running dnsmasq on virtbr0 for example
and on each vm start i need to reconfigure dnsmasq to add needed tap
device to it? Why i can't use --interface=tap* ? DOes dnsmasq monitors
network intnerfaces via netlink and automatic listen it when it added
to the host?

-- 
Vasiliy Tolstov,
e-mail: v.tols...@yoctocloud.net

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

2016-05-27 Thread Neil Jerram

Hi Vasiliy,

I assume your TAP devices are _not_ bridged on the host?

If so, you can use the same approach as we use for Calico networking in
OpenStack -
http://docs.openstack.org/developer/networking-calico/implementation-notes.html#dhcp

You'll need:

   - a dummy interface, with an address in the 85.143.220/24 CIDR
   - to populate the dnsmasq hosts file with the IP/MAC mappings for your
   VMs
   - to tell dnsmasq to listen on the dummy interface and all the TAPs, and
   treat the TAPs as aliases of the dummy interface (using
   --bridge-interfaces).

Hope that helps - happy to provide more detail if you need.

  Neil



On Fri, May 27, 2016 at 3:32 PM Vasiliy Tolstov  wrote:

> Hi. I have such setup:
>
> ip -4 a s tap37183
> 148: tap37183:  mtu 1500 qdisc htb
> state UNKNOWN group default qlen 500
> link/ether fe:54:00:00:58:9f brd ff:ff:ff:ff:ff:ff
> inet 85.143.216.1/32 scope global tap37183
>valid_lft forever preferred_lft forever
> inet 192.168.240.110 peer 85.143.220.84/32 scope global tap37183
>valid_lft forever preferred_lft forever
>
> 85.143.216.1/32 is gw address for vm
>
> 192.168.240.110 peer 85.143.220.84/32 scope global tap37183
> this is host address with vm address added as peer  (/32)
>
> What i need to add to dnsmasq conf to serve for this vm for dhcp
> request with mac 25:54:00:00:58:9f  address 85.143.220.84 with netmask
> /24?
>
> Thanks!
> --
> Vasiliy Tolstov,
> e-mail: v.tols...@yoctocloud.net
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

2016-05-27 Thread Vasiliy Tolstov

Hi. I have such setup:

ip -4 a s tap37183
148: tap37183:  mtu 1500 qdisc htb
state UNKNOWN group default qlen 500
link/ether fe:54:00:00:58:9f brd ff:ff:ff:ff:ff:ff
inet 85.143.216.1/32 scope global tap37183
   valid_lft forever preferred_lft forever
inet 192.168.240.110 peer 85.143.220.84/32 scope global tap37183
   valid_lft forever preferred_lft forever

85.143.216.1/32 is gw address for vm

192.168.240.110 peer 85.143.220.84/32 scope global tap37183
this is host address with vm address added as peer  (/32)

What i need to add to dnsmasq conf to serve for this vm for dhcp
request with mac 25:54:00:00:58:9f  address 85.143.220.84 with netmask
/24?

Thanks!
-- 
Vasiliy Tolstov,
e-mail: v.tols...@yoctocloud.net

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

2016-05-27 Thread Kevin Darbyshire-Bryant


Hi Simon,

Please could you consider the attached patch.  It solves a problem that 
using dnssec-timestamp also effectively enabled dnssec-no-timecheck. 
The result of which is that an unfortunately timed SIGHUP could 
accidentally enable dnssec timestamp checking.  In combination with 
dnssec-check-unsigned that could prove 'challenging' :-)


The patch matches the behaviour is as documented in the manpage.

kind regards,

Kevin
>From f94c6d70aaaea0511ef3c7667093b4b54952804e Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant 
Date: Fri, 27 May 2016 10:23:47 +0100
Subject: [PATCH] Improve dnssec SIGHUP behaviour

Signed-off-by: Kevin Darbyshire-Bryant 
---
 src/dnsmasq.c | 7 ---
 src/dnsmasq.h | 1 +
 src/dnssec.c  | 5 +++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 045ec53..a47273f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -750,7 +750,8 @@ int main (int argc, char **argv)
   
   my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
   
-  if (option_bool(OPT_DNSSEC_TIME))
+  daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+  if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
   
   if (rc == 1)
@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now)
   {
   case EVENT_RELOAD:
 #ifdef HAVE_DNSSEC
-	if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+	if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
 	  {
 	my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
-	reset_option_bool(OPT_DNSSEC_TIME);
+	daemon->dnssec_no_time_check = 0;
 	  } 
 #endif
 	/* fall through */
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1896a64..be27ae0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -992,6 +992,7 @@ extern struct daemon {
 #endif
 #ifdef HAVE_DNSSEC
   struct ds_config *ds;
+  int dnssec_no_time_check;
   int back_to_the_future;
   char *timestamp_file;
 #endif
diff --git a/src/dnssec.c b/src/dnssec.c
index 3c77c7d..64358fa 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end)
 	  if (utime(daemon->timestamp_file, NULL) != 0)
 	my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
 	  
+	  my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps."));
 	  daemon->back_to_the_future = 1;
-	  set_option_bool(OPT_DNSSEC_TIME);
+	  daemon->dnssec_no_time_check = 0;
 	  queue_event(EVENT_RELOAD); /* purge cache */
 	} 
 
   if (daemon->back_to_the_future == 0)
 	return 1;
 }
-  else if (option_bool(OPT_DNSSEC_TIME))
+  else if (daemon->dnssec_no_time_check)
 return 1;
   
   /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
-- 
1.9.1

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

[Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac

[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

4 matches

Site Navigation

Mail list logo

Footer information